Latest Post

ePHI Data Leakage and the 8 Hiding Places You’ve Forgotten

Brad Spannbauer
| Jul 18, 2016

In the last few years, HIPAA’s regulators and auditors have become more aggressive in finding and penalizing instances in which Covered Entities and their Business Associates fail to protect the electronic protected health information (ePHI) in their care. And chances are, you’ve gotten the message: It is your healthcare organization’s legal responsibility to safeguard at all times the private patient data under your charge.

But even if you have already taken many of the necessary steps to build a HIPAA compliant IT infrastructure, there are almost certainly several vulnerabilities in your organization’s ePHI-security processes, typical digital stops that your ePHI makes along its journey to recipients or to your long-term secure archiving and storage. Most IT teams forget to secure or scrub their ePHI from these hiding places.

Here are 8 of the top ePHI vulnerable spots where even at this very moment your data might be hiding — leaving you open to noncompliance with HIPAA, exposed to cyber criminals, in jeopardy of a reputation-damaging breach, and creating many other ongoing risks to your healthcare practice or organization.

ePHI Data Leakage, and 8 Places You’ve Forgotten to Secure

1. USB Drives
Even for a disciplined and security-conscious healthcare IT team, it’s easy to forget the USB drive and other portable media-storage and transfer devices.

But your staff might be using them for faster and more convenient exchanging of ePHI documents between colleagues or to transfer them more easily from a device in the office to, say, a device at home. For your doctors or administrative staff, this might be completely innocent — just an easier way to work. But as far as HIPAA regulators are concerned, and for the cyber thief who steals the device and all of the data on it, these innocent intentions won’t protect your patients or your organization.

The preferred approach is to not allow files to be transferred to removable media, and systems can be implemented to automatically block such attempts to copy files. But if your staff is going to use USB drives to share and transfer ePHI, you’ll need to either insist on only company-issued drives — which you’ll equip with encryption software — and require that your employees who do use them delete all of the contents after each use.

2. Your Staff’s Texts
Because it’s such a convenient and immediate method of communication, doctors, nurses and other health professionals often use text messaging to communicate with colleagues and patients — and this often means transmitting ePHI in an unsecure way.

There are two problems here. First, under most circumstances texting ePHI is a HIPAA violation. In fact, according to a 2016 Healthcare IT article, HIPAA’s auditors can fine your organization up to $50,000 for each text containing ePHI.

Second, and equally important, texting ePHI can leave the data exposed to hackers, in several ways. If your staff is texting ePHI over an unsecure network — such as a WiFi hotspot in a public place — hackers can grab the data digitally. Also, what if the doctor texting ePHI with her cell phone loses that phone or has it stolen? Finally, even if your doctor remains extremely careful about how and where she texts, the ePHI data she is sending and receiving over the cellular network still remains in storage on the cellular provider’s own cloud — and there is no way of knowing either that the data is secured on the carrier’s own servers or who at the carrier’s company will be able to see it.

But remember that your staff probably also sends and receives work-related email, including ePHI, on their personal email accounts— such as web accounts like Gmail and Yahoo! Mail.

Often your doctors or administrative staff will do this for convenience; perhaps they’re in a location where they can’t access their corporate email. Other times they might simply forget which email program they’re using when they send a new message from their smartphone.

Whatever the reason, you should assume your employees are using their personal email accounts, often outside of your network firewall, to send and receive messages containing ePHI. So your IT team’s job here — and it’s a difficult one — will be to implement policies and provide training to steer your staff away from emailing outside the corporate system you’ve developed for work-related messages, particularly messages with ePHI.

And even secure email is only as secure as the system of the person receiving the email. If the recipient is on a non-secure personal email system, employees should be cautioned not to send email that contains protected information.

4. The Hard Drives of Your Copiers, Scanners and Fax Machines
When your employees scan, copy or fax physical documents containing ePHI, digital copies of those documents are saved to the hard drives of the copiers, scanners and fax machines. This is an often overlooked security vulnerability because people, even seasoned IT professionals, forget that these standard pieces of office equipment even have hard drives.

But as the healthcare educational company 4MedApproved points out, one health insurance provider was forced to pay a $1.2 million HIPAA fine for returning leased office equipment that still had stored patient records and other ePHI on the devices’ hard drives.

5. Your Voice Files
Let’s say a patient leaves a voicemail on your organization’s phone service, or on the smartphone issued to one of your doctors (or even to that doctor’s personal mobile phone). If the patient identifies herself and gives any personal information in that voicemail — almost a certainty in a message left for a medical office or doctor — that is considered ePHI.

Furthermore, let’s say your doctors use handheld dictation systems to record patient details during or immediately after patient appointments. And further imagine that the routine for many of your doctors is simply to keep the tapes of these recordings in an unlocked cabinet or even on an open shelf in their offices. Again, these voice recordings would qualify as ePHI — and need to be protected just as any fax server or network transmission containing patient records.
​
Your IT team’s task here — again, a difficult one — will be to train all staff on treating these voice recordings as the HIPAA-enforced protected data they are, and to implement processes to secure this ePHI at all times, whether digitally (in the case of patient voicemails) or physically (in the case of your doctors’ own patient recordings on dictation devices).

And it goes without saying that outside medical transcription services must be HIPAA compliant and willing to sign a BAA if they will be transcribing doctors notes that contain personally identifiable information.

6. Your Previous Electronic Medical Records System
Here’s a very common scenario in healthcare organizations today — particularly as the Affordable Care Act rules force many medical and dental practices to reconsider the records systems they are using. A doctor’s office decides to switch its Electronic Medical Records (EMR) system from, say, to NexGen.

After training its staff on the NextGen system and migrating its records over the new platform, the company will then often maintain a computer server that contains copies of all of its old records originally generated on its Cerner system. But very few of these companies will also provide adequate security for that old EMR data — even though it is still ePHI, subject to the exact same HIPAA regulations as new patient records.

Here your IT team’s responsibility will be to treat this archived data and the hardware storing it with the same level of care and security as your office’s current ePHI. That means you’ll need to maintain current usernames and passwords for authorized personnel, equip the server (and any transmissions of the data to or from that server) with encryption and other security protocols, and maintain usage logs for any access to the ePHI contained on this old server.

It’s easy to forget this data is even there. But if HIPAA auditors come knocking, you’re just as much at risk of a noncompliance fine from the ePHI stored here as you are from any other type of violation.

7. Your Medical Equipment’s Hard Drives
This is often another innocent oversight, but one that still leaves the healthcare organization at risk from both a data breach from cyber attackers and from landing on the wrong side of a HIPAA investigation. The CT scanner, MRI machine, dental x-ray device and other medical equipment in your office also have hard drives — and virtually all of the images and data stored on these hard drives is, by definition, ePHI.

You need to implement a process for encrypting these storage drives and regularly offloading the data to a secure server — whether that’s a cloud storage plan or an on-premises secure server that your IT team manages.

8. Your ePHI Held by Third-Party Vendors
To function as a healthcare organization today, you almost certainly need to work with third parties, such as an after-hours answering service and a cloud provider to back up and provide disaster recovery services for your data. But these are yet more examples of places where your ePHI is residing, and where they also need protecting at all times.

Any vendor that handles your ePHI should be able to demonstrate that they understand HIPAA’s requirements and their role in securing your ePHI, and that they have developed HIPAA compliant processes to secure your data at all times.

Make Your ePHI Faxes Secure and HIPAA Compliant

As we noted in ePHI vulnerability #4 above, your data is probably residing unsecured on the hard drives of your office’s copiers and fax machines. This is yet one more reason to upgrade your infrastructure from standard desktop fax machines or fax servers to a cloud fax model built specifically for businesses that need to transmit highly sensitive material by fax.

A pioneer in cloud faxing 20 years, eFax Corporate is the world’s leading cloud fax partner for enterprises, and the most trusted provider of digital faxing services to the most heavily regulated industries — including healthcare.

About Brad Spannbauer

A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer.

eFax is the world’s #1 online fax service. More than 10 million customers use eFax every day to send and receive faxes from their computer, smartphone and email. See how we've made faxing simple for over 20 years. Start Faxing »